How long has it been since we had a patched 0day that jumped up and bit us?

Topic

New Reply

I’m in the middle of a Tweetstorm – par for the course – but had an interesting response to one of my standard questions. The question goes like this:
[See the full post at: How long has it been since we had a patched 0day that jumped up and bit us?]

2 users thanked author for this post.

Kirsty, Cybertooth

Reply | Quote

Replies

My name is Jon Sawyer, otherwise know as jcase or cunninglogic online.

I’m a exploit engineer, for over about a decade I have been finding vulnerabilities and writing exploits for a living. I have put kids through college, I’ve bought my house, my cars and funded my retirement with exploits. Anyone doubting my credentials like Woody did are free to run my name through any search engine. You can find mention of me in books, articles written by competent journalists, dozens of patches from vendors, security hall of fames, many dozens of disclosures, training material, and so on.

Your advice is putting your users at risk, and would constitute malpractice IF you were a security professional. Without violating any NDAs or classifications, I can say nday vulnerabilities are commonly exploited. I can say I have analyzed malware this year using recently patched vulnerabilities for escalation. You lack the professional experience and knowledge to be making claims that they are not. I’m not insulting you with this, I’m pointing out the obvious, VR And exdev are not your areas of professional practice.

There are patched vulnerabilities (not to misuse the term 0day like you are) biting people in the rear today, and everyday, because of advice from people like you not to update in a responsible time frame. Systems lagging on security updates are exactly what people like me love to find, it makes our work easier. I can do a binary diff of updates, find exactly what was patched, and reduce the time needed to find a vulnerability and produce an exploit from months to hours or days, and that is assuming the update doesn’t disclose exactly what the patched vulnerabilities are, if it does, then that can further reduce the time.

To your readers, please listen to security professionals. You (hopefully) don’t take medical advice from electricians without a medical background, please don’t take security advice from bloggers without a security background.

 

1 user thanked author for this post.

NetDef

Reply | Quote

We’ve been going back and forth on Twitter… and I repeat: Name just ONE zero-day that’s been widely exploited within a few weeks of the patch.

Reply | Quote

I do think you confuse the issue by using the term “zero-day”.

By definition, a zero-day has NOT been patched:

A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software).
…
For zero-day exploits, … the probability that a user has applied a vendor-supplied patch that fixes the problem is zero, so the exploit would remain available.

https://en.wikipedia.org/wiki/Zero-day_(computing)

Here, on the other hand, you’re asking for examples of vulnerabilities which have been exploited soon AFTER the patch has been publicly announced and made available.

1 user thanked author for this post.

NetDef

Reply | Quote

I should probably say “nday” with 0 < n <= 20 or so.

1 user thanked author for this post.

b

Reply | Quote

I like that you have started to use a proper term after I pointed it out to you, but nday has nothing to do with less than 20.

Reply | Quote

Yep. The <= 20 is my shorthand for “before I recommend that everyone install the patch.”

Reply | Quote

Think of the audience.  I still argue that Rank and file normal Windows user has time to hold back just a smidge and watch for side effects.

To be fair the use of the phrase patched zero days is a bit of an oxymoron.  A zero day is by definition something for which we don’t have a patch.  Once we have the patch then it’s no longer a zero day.  To update in a “responsible time frame” is exactly what is needed by both the vendor and the audience.   The vendor needs to provide a better mechanism for reporting and tracking patching issues otherwise we will be in this mess of a social echo chamber that is even acknowledged on their own site:  https://docs.microsoft.com/ro-ro/windows/release-information/status-windows-10-1903#400msgdesc

Currently I am assisting a patcher that can’t install the April updates because it causes his group policy printers to not print.  The official Microsoft support case that we opened up has been horrific to watch on the sidelines.  Just yesterday the support personnel sent an email that basically confirmed that once the update was installed, he could no longer get certain printer drivers installed.  No kidding Sherlock that’s what we opened the case for a week ago trying to get you guys to investigate why this patch is causing this issue.   We’re still no closer in trying to figure out why this patch is having this side effect.  Microsoft’s outsourced support process is not helping one bit to get issues identified and acknowledged and until that process is better “reasonable time frames” are subject to argument.

For the record I have a GSEC credential (and I keep it renewed and maintained).

Susan Bradley Patch Lady/Prudent patcher

4 users thanked author for this post.

Bluetrix, Cybertooth, woody, NetDef

Reply | Quote

[Susan Bradley]

https://www.us-cert.gov/ncas/alerts/aa20-133a

AA20-133A: Top 10 Routinely Exploited Vulnerabilities

Of interest – notice how OLD the patches are.

Susan Bradley Patch Lady/Prudent patcher

• This reply was modified 4 years, 10 months ago by Susan Bradley.

3 users thanked author for this post.

b, woody, Alex5723

Reply | Quote

Susan,

Two entirely different issues with two entirely different threats. Not updating for years is far worse, but doesn’t make short term delaying of security patches sane. One is @#$%#@$ insane, one is just mildly insane. You won’t find one competent security professional backing Woody’s advice.

Jon

Reply | Quote

I like to look at it the other way.

I haven’t found one knowledgeable Windows security professional who allows Patch Tuesday patches to install, unvetted.

Reply | Quote

I do on test machines, but that’s what they are there for.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

NetDef

Reply | Quote

Ooops. 🙂 Yes, I should’ve said I don’t know more than a handful of bonafide Windows security gurus who allow Patch Tuesday patches to install unvetted on their production machines.

Reply | Quote

Your advice seems geared towards end users, not production sysadmins.

1 user thanked author for this post.

woody

Reply | Quote

There is a difference in self vetting updates in corporate environments, and tasking non-security professionals to vet updates.

1 user thanked author for this post.

woody

Reply | Quote

That’s quite correct.

It’s the difference between folks hooked up directly to Windows Update (that’s my bailiwick), and folks who are on networks with Update Servers (Susan’s specialty).

Reply | Quote

jonsawyer wrote:

Not updating for years is far worse, but doesn’t make short term delaying of security patches sane. One is @#$%#@$ insane, one is just mildly insane. You won’t find one competent security professional backing Woody’s advice.

Maybe not, but Woody’s advice has value specifically because he is not a security professional.

A security professional’s job is to obsess about security, to dream up all kinds of ways in which a system can be exploited, and to do their best to make sure that doesn’t happen. Security is everything to them, obviously.

Woody, quite obviously, is not a security professional.  He’s a person whose concern is how well people’s computers run.  Security threats certainly have a major role in that, but they aren’t the only thing that has to be considered.  The very real possibility of a security patch causing unwanted effects is a big factor too, and we’ve seen too many patches from Microsoft and others to know that this is a real threat too, and often one that’s more likely to be seen by average desktop PC users than the latest security exploit coming down the pike.  Woody’s view is to balance the potential cost and the potential benefit of any given patch or set of patches.  You can, of course, take or leave his advice.  We know what yours would be (it’s stated pretty clearly in the bit I quoted above), which people can also take or leave.

It’s quite normal for experts within any field of inquiry to have a tunnel focus on their own area of study.  That’s what we pay them for, of course… we don’t hire an IT security professional to give advice about defragmenting hard drives or keeping dust bunnies out of the cooling fans.  Those things are for someone else to worry about.  They’re still important, though, even if the advice from a fully competent security professional completely ignores them when it comes to giving advice.

It’s the same thing that’s happening in the non-IT world with COVID.  Epidemiologists have the same tunnel focus on disease, and their recommendations are based on that, and only that (and Dr. Fauci has said exactly that in reference to his own advice).  They’re not (professionally) concerned with the economy, the well-being of small business, the mental health of the populace, personal liberty, or anything like that.  Those things are outside the domain of expertise for disease experts, and opinions on those things are not what we pay them for.  We want their opinions about disease, but it’s up to us (and the politicians that represent us) to balance their opinions with factors in other areas of concern.

Woody’s doing a cost/benefit analysis before giving his advice.  Whether or not he achieves an optimal balance is certainly up for debate, but he’s taking information from multiple sources, not just security experts.  Of course it’s going to seem insane to a person who lives and breathes security.

There are no perfect solutions, and often advancing one thing causes a loss elsewhere.

As I posted less than a week ago, the most recent microcode update issued for my Acer Swift’s Intel CPU (SoC) for the purpose of limiting the threat of side-channel exploits has caused regular hard freezes, and have made teleconferencing, in particular, quite impossible (a pretty big deal-breaker in light of what’s going on in the world now).  The freezes would happen at any time in any application, but they were particularly quick using a teleconferencing application, often happening within a few minutes, and only once taking more than a half hour (out of more than a dozen trials).  That one example took about an hour and a half.

I reverted the microcode to the next newest version, and system stability was restored.  It has most of the mitigations that the errant microcode has, while the microcode in the system firmware has none of the Spectre mitigations at all, as it was released before these exploits were made public.  It would have been easy to simply go back to the one in firmware for maximum stability, but I didn’t do that.  I also didn’t keep the version with maximum security and minimum stability.  I think I struck a good balance, and I’ll keep this setup until/unless Intel issues a microcode that fixes this.  I’ll try it when it comes out, but if it keeps the stability issue, I’ll revert it too.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

5 users thanked author for this post.

satrow, Cybertooth, b, anotherwindowsuser, woody

Reply | Quote

Woody,

1. Who cares if its widely, all it takes is one instance of exploitation hitting a box storing sensitive data. You use the widely term to down play the effects of your ignorant advice. It doesn’t take 10,000s of instances of exploitation for a nday vulnerability (nday is the term you want to be using btw) for it to have devastating impact. It takes ONE usage, on ONE box, that WASNT updated, due to YOUR advice to have devastating impact on tens of thousands of users. One bank’s computer, one doctor’s phone, one HR department’s laptop, one password management server. One, not thousands, not widely.
2. I gave you three (left out of your blog post entirely I’ll add), you dismissed one because it didn’t fit your scenario, and ignored two entirely. I’ll toss two more recently disclosed and ACTIVELY being exploited as I type this, due to people not updating in a timely fashion. CVE-2020-11651 and CVE-2020-11652. Are they windows OS vulnerabilities? No, does the same reasoning and principals apply? Yes.

Suggesting people not update because you haven’t seen one hit recently, is like suggesting we disband a pandemic response team or not refresh our medical supply stock piles because we haven’t seen a recent pandemic…..

1 user thanked author for this post.

NetDef

Reply | Quote

[woody]

No, I think it’s a tradeoff.

Is the typical Windows user more likely to get hit by a bug in a patch, or an exploit based on a recently-released patch?

The equation changes every day. What I’m saying is that it’s been 16 years since I can point to a patch that had to be applied within two weeks.

Which three did I miss?

There was exPixel8, but it’s an Android vulnerability.

CVE-2020-11651 and CVE-2020-11652 are for SaltStack Salt, which is way beyond the scope of “normal” Windows users.

Methinks we’re talking apples and oranges.

• This reply was modified 4 years, 10 months ago by woody.

2 users thanked author for this post.

wavy, Cybertooth

Reply | Quote

What is more a more difficult task, and devastating scenario woody? Having to fix a windows install, or trying to unleak all your employees W2s, or figure out where your retirement account went.

Reply | Quote

So… you’re saying you know of a Windows security hole that was patched, then exploited within a few weeks, that led to leaked employee W2s?

Reply | Quote

I’m aware of patched windows security vulnerabilities resulting in disclosure of highly sensitive confidential data, because people were not applying updates adequately. W2s were not a specific example of a real life instance, it was a place holder generalization that most people would understand. In real life scenarios I’m aware of or have been involved in, the data disclosed was worse than W2s.

Reply | Quote

depixel8 is a combo of exploits, not a vulnerability. The exploit was android specific, not all the vulnerabilities were.

Its NOT about the operating system, it about the theory and practice here. You are trying to narrow the scope to fit your (non security professional) opinion. Its like saying “a pandemic hasnt hit humans in years, why practice basic sanitary behavior”, because it CAN and WILL hit.

 

Reply | Quote

I think you miss the point of Woody’s advice to ordinary users. It is to sit tight and wait for the bugs to hit others from the dodgy patches. Then patch once the issues are known. It is not to never patch. It is risk management. What is more likely to harm an ordinary user, a buggy patch or an exploit? In most cases it is the buggy patch. Also, ordinary users do not have test machines readily available if their box gets nailed either way.

Willy Sutton once observed he robbed banks because ‘that’s where the money is’. Same principle applies here. Most of attempts to defraud ordinary users are from dodgy ads and spam rather than an exploit and these are small scores (a few hundred dollars or less). This can be compounded with bad security habits (e.g. using public wifis for banking and shopping). This by its nature has to be a low overhead operation. If one is able to defraud a bank or insurance company, maybe a few million dollars is on the line. So, if I had ZD I would not waste it on an ordinary user with risk it gets found out and patched and very little reward. But I would use it on a very high value target to maximize the takings before it gets shut down.

6 users thanked author for this post.

David F, OscarCP, woody, anotherwindowsuser, AmbularD, Cybertooth

Reply | Quote

Who cares if its widely, all it takes is one instance of exploitation hitting a box storing sensitive data. You use the widely term to down play the effects of your ignorant advice. It doesn’t take 10,000s of instances of exploitation for a nday vulnerability (nday is the term you want to be using btw) for it to have devastating impact. It takes ONE usage, on ONE box, that WASNT updated,

Let me suggest that if a single exploit is so devastating, you should not be using Windows at all. Microsoft is a company that in the last few years wrote new crypto code that forgot to simply check the generator provided by an elliptic curve adversary. Their security is a joke. If your systems are so critical they cannot be exploited even once, you are negligent for running MS software in the first place.

Reply | Quote

anonymous wrote:

Who cares if its widely, all it takes is one instance of exploitation hitting a box storing sensitive data. You use the widely term to down play the effects of your ignorant advice. It doesn’t take 10,000s of instances of exploitation for a nday vulnerability (nday is the term you want to be using btw) for it to have devastating impact. It takes ONE usage, on ONE box, that WASNT updated,

Let me suggest that if a single exploit is so devastating, you should not be using Windows at all. Microsoft is a company that in the last few years wrote new crypto code that forgot to simply check the generator provided by an elliptic curve adversary. Their security is a joke. If your systems are so critical they cannot be exploited even once, you are negligent for running MS software in the first place.

1. I dont personally, i run Linux and and OSX, but I do have windows machines for various tasks. I have a laser engraver that only works on XP (obviously no network connection), I run a windows VM for a nand programmer, my kids use windows systems for games.
2. Any software is vulnerable to something, and all OSs have made really dumb mistakes. No critical infrastructure or any system containing sensitive data should openly risk being exploited when mitigation or patches exist.

Reply | Quote

My observation: today’s fast track reliable exploits are being used by organizations that try very hard to stay under the radar. The smart one’s don’t release something into the wild. They are using them for tightly targeted victims. And in most cases, these targeted exploits are being used in this fashion long before they are a) reported and b) patched.

Delayed patching is another ball of wax. I think I’ve made my position clear here in the past that a very small delay, for end users that are low risk, without the resources to recover gracefully from a botched patch, can make that decision for themselves. And in that light, Woody provides a decent service.

But that is wholly inappropriate for business, for high risk targets, for ( -IMO- ) anyone that does banking or handles Intellectual Property or works for an essential service. The list I think is long, that’s just a sampling.

I don’t call them Zero-days either.

And Woody, asking the question you asked on Twitter is asking someone with actual knowledge that is also a responsible netizen to break all sorts of NDA’s. Any answers on non-historical samples are likely to be fake, or from the wrong crowd.

~ Group "Weekend" ~

4 users thanked author for this post.

OscarCP, lurks about, woody, jonsawyer

Reply | Quote

Point well taken. I don’t want anyone to break an NDA.

But I really would like to see one, solid example.

1 user thanked author for this post.

NetDef

Reply | Quote

NetDef,

I would agree with your analysis almost entirely, great sane and reasonable post. Nday exploits are STILL a favorite for targeted exploitation, solely because people wait to update. Even then, those exploits don’t tend to be release public. Yes they are in the wild as in actively being used against targets, no they are not in the wild as in script kiddies are building botnets with them  and being picked up by every blogger in the world (which is the point Woody entirely misses).

Pushing users to having a means of recovery would be infinitely wiser advice to push, than pushing them not to update. It would allow them to fix soooo many more problems than just a bad update.

“for ( -IMO- ) anyone that does banking ” even my non tech elderly parents are doing banking from their computers now a days. Even my GRANDMOTHER is doing it.

1 user thanked author for this post.

NetDef

Reply | Quote

Well, OK, but you need to distinguish between exploits that are being targeted at specific high-profile systems, and regular Windows users.

Organizations running high profile systems need to be much more proactive in their patching. That’s why we have Susan’s Master Patch List. But even they, with very rare exception, don’t allow patches to proliferate without testing.

Everyday Windows users don’t have the luxury of testing regimens.

1 user thanked author for this post.

OscarCP

Reply | Quote

[jonsawyer]

Low profile doesnt necessarily mean no one is looking at it or it has no sensitive data. Some HUGE breaches are the result of LOW profile systems getting targeted. Now a days more and more sensitive work data is coming home, to low profile systems. Home PCs area becoming work PCs.

• This reply was modified 4 years, 10 months ago by jonsawyer.

Reply | Quote

Yes, and that’s all the more reason why everybody should wait and see if new patches bring more problems.

Reply | Quote

No, thats the reason you take the security updates asap.

Reply | Quote

Woody: “Everyday Windows users don’t have the luxury of testing regimens.”

And everyday Windows users (like Yours Truly) probably do not have also the luxury of testing machines available to test patches if they wanted to: just the one PC actually used to do their work and, or communicate with the rest of the world.

I know there is a chance that some day, somehow, I might be hit with something very nasty that was originally developed by some organization, legitimate or otherwise, and then was either sold under the table, or else leaked out into the wide world and, eventually, came into the hands of even bored pimply teenagers eager to do something interesting. And there is always a small chance that an unknowingly infected machine might, in turn, infect the emails that I am sent from a trusted source and look perfectly legitimate (and are legitimate, if infected) and the bug in one of them manages to get past my defenses.

Well, in 22 years of using Windows, many really bad exploits have come and gone, some are still around, but I have never been troubled by any of them. There is always the chance that some day I might get caught by one; if so, what? What choices I have to do something better than what already I do to protect myself: backups of the whole HD, use of AV, firewall, etc., asking for, listening and following the advice of people who I am sure know enough about IT security? Answer: nothing, except to quit using computers, or at least never using them again to communicate through the Internet. Which, in my case, pretty much means not using the Internet at all and would be really bad.

As what Woody calls a “regular user”, I have to chance it as described and, for that and other practical things, the advice given in this site has been, generally, helpful to me in many ways besides security, even if the latter might not be ideal for businesses and other organizations (and these should have the means to deal with so-called “0-days” and such: in-house and contracted expert advice, testing machines, etc. — or else those in charge would be guilty of not doing their proper due diligence.

And, by the way, although Woody has already and repeatedly asked here for an example, just one, to prove those criticisms correct, all he has got, so far, are repetitions of the same criticisms, some phrased somewhat differently, without offering a shred of relevant information, particularly to regular users like myself.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

David F, Cybertooth

Reply | Quote

Pushing users to having a means of recovery would be infinitely wiser advice to push, than pushing them not to update. It would allow them to fix soooo many more problems than just a bad update.

Yep.

Backups! Verify backups! Verify “where” that backup resides! Verify/test that restoring that backup both works and that the restore process is understood!

. . . and make sure one backup is offline at all times.

~ Group "Weekend" ~

2 users thanked author for this post.

bbearren, OscarCP

Reply | Quote

It would be nicer if the vendor provided for a way more robust bare metal backup process.  How about a process to automatically kick a backup before updates are installed?

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

woody, jonsawyer

Reply | Quote

Susan Bradley wrote:

How about a process to automatically kick a backup before updates are installed?

It’s called Task Scheduler.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Well, yes, that works, but how about a Windows system restore that always sets a restore point before any patch is installed, and where that system restore function is robust enough to revert anything, even Windows build upgrades?  That would help a lot.  I make regular backups like you do, and we both preach about that frequently, but not everyone listens.  This would be a relatively painless way to make it happen anyway, unless the person turns the restore function off.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Cybertooth

Reply | Quote

Ascaris: With Windows, I have always created a restore point before installing something new, particularly patches. It is not a big deal (at least through Windows 7) The main thing is not to allow automatic updates. But sometimes that might be something one misses and those updates still are going to update automatically.

Now, if one were to make available a procedure that also can automate the creation of restore points before automatic updates, that would be an improvement one the way things are, even for me.

Not sure what this has to do with surreptitious malware that get in through phishing, contaminated emails or hacked Websites.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Susan Bradley wrote:

It would be nicer if the vendor provided for a way more robust bare metal backup process.  How about a process to automatically kick a backup before updates are installed?

I really like the a/b partition scheme that embedded systems have started using for updates. Update fail? swab back to secondary image set and keep rolling.

1 user thanked author for this post.

woody

Reply | Quote

Good idea. It’d solve a whole lot of problems – especially if it could be reliably kick-started.

Reply | Quote

The first thing that jumped to mind was meltdown/ spectre.

Upon it’s discovery, the amount of scaremongering that followed seems to have been superceded with added dramatics and tales of woe for almost all 0-days and exploits ever since.

That doesn’t mean I/we ignore them, it’s just more research and time that becomes tiresome and labourious, when all I/we wish to do is use a PC/Mobile for internet access. I have my thoughts on this, some would read, conspiracy theories but we all have ’em.

Thanks Woody, interesting request

1 user thanked author for this post.

woody

Reply | Quote

Meltdown and Spectre (1, 2, 3, etc.) were/are an important example – but, again, there were (and are) no general exploits. PoCs, yes, but nothing that normal computer users need to be worried about.

https://www.askwoody.com/2018/microsoft-pushes-more-spectre-v2-microcode-updates-kb-4090007-kb-4091663-kb-4091664/

Reply | Quote

[jonsawyer]

woody wrote:

Meltdown and Spectre (1, 2, 3, etc.) were/are an important example – but, again, there were (and are) no general exploits. PoCs, yes, but nothing that normal computer users need to be worried about.

https://www.askwoody.com/2018/microsoft-pushes-more-spectre-v2-microcode-updates-kb-4090007-kb-4091663-kb-4091664/

are you serious? No general exploits only POCs? I have seen fully weaponized exploits for speculative execution vulnerabilities. I’ve never once seen someone suggestion this wasn’t a real thing until now. Woody again, this is not your area to be speaking on. You are NOT a subject matter expert here, and you shouldn’t be giving advice like you are one, or leading people to believe you are one. Just because you, someone who really is not in the infosec field, hasn’t seen something, doesn’t mean it doesn’t exist.

Your advice and attitude is akin to people says “I’m not vaccinating my kids for measles because I never had it” or “I’m not vaccinating my kids for polio, my great grandfather had it and he was fine.”

You keep asking for examples of ndays being exploited, every time I’ve pointed it out “but but its not windows” doesn’t matter, its not about the specific incident, it’s about the behavior and attitude. Do you really think Windows is immune to such instances? Especially with your low opinion of MS’s code and updates, you would think that it would be a plausible senario.

• This reply was modified 4 years, 10 months ago by jonsawyer.

Reply | Quote

anonymous wrote:

The first thing that jumped to mind was meltdown/ spectre.

Upon it’s discovery, the amount of scaremongering that followed seems to have been superceded with added dramatics and tales of woe for almost all 0-days and exploits ever since.

That doesn’t mean I/we ignore them, it’s just more research and time that becomes tiresome and labourious, when all I/we wish to do is use a PC/Mobile for internet access. I have my thoughts on this, some would read, conspiracy theories but we all have ’em.

Thanks Woody, interesting request

Meltdown and spectre are very special vulns, and not trivial to weaponize an exploit for (ignore woody’s suggestion that only POCs exist, full exploits do exist for this class of vulnerability). They really are not the type of bug I would worry about someone having a full exploit chain for a day after a patch is released. Other more trivial ones I certainly do.

1 user thanked author for this post.

woody

Reply | Quote

jonsawyer wrote:

Meltdown and spectre are very special vulns

I stand by my original statement. Meltdown and the Spectres pose no threat to everyday Windows users. If you’re running a banking transaction system, or decrypting confidential messages, sure, you should be concerned. But the amount of overhead in successfully hacking just one machine is enormous.

In spite of the well-orchestrated advertising campaign around the unveiling of Meltdown and Spectre, and “sky is falling” cries from many corners, not one single mainstream Meltdown or Spectre (or LVI) exploit has appeared. It’s been more than two years.

Besides, we’re talking about the need to patch Windows/Office within weeks. Meltdown and Spectre never presented that kind of threat for “normal” Windows users.

1 user thanked author for this post.

Cybertooth

Reply | Quote

I’d be more interested in knowing whether there has ever been a documented case of a successful malware attack against a machine that was left unpatched specifically because its owner was following the MS-Defcon system on this web site.

i7-10700k - ASROCK Z590 Pro4 - 1TB 970 EVO Plus M.2 - DDR4 3200 x 32GB - GeForce RTX 3060 Ti FTW - Windows 10 Pro

6 users thanked author for this post.

SueW, woody, anotherwindowsuser, DriftyDonN, Cybertooth, OscarCP

Reply | Quote

If, over al these years, such a malware attack had happened to some regular user that took to heart Woody’s advice not to worry about its likelihood for the time being, I suspect that all of us would have read here the written imprecations and lamentations of the so afflicted. Not a single case of that happening comes to mind. Anyone remembers one such case ever occurring here? Thanks.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

4 users thanked author for this post.

Cybertooth, AmbularD, woody, DriftyDonN

Reply | Quote

[woody]

AmbularD wrote:

I’d be more interested in knowing whether there has ever been a documented case of a successful malware attack against a machine that was left unpatched specifically because its owner was following the MS-Defcon system on this web site.

Man, I’d like to hear about that, too!

I’ve been running the MS-DEFCON system on AskWoody for… what is it? … 16 years now. Every month. I’ve been publishing the warnings and analyses in Computerworld (and before that, Infoworld) for more than ten years. I haven’t heard from anybody who’s been bit by a bad call. But I’d really, really like to know if anyone has.

• This reply was modified 4 years, 10 months ago by woody.

Reply | Quote

I’m a sysadmin for a banking company.  I have rings of machines for staggered deployment.  Everything backed up regularly, which is key.  I wait 48 hours from the time MS releases a security update.  The times MS has released a known broken update, it is almost always pulled and/or rereleased by then.  Thursday is go time for the first several boxes.  If no problems, the rest go early the next week.  By the time client-facing production systems are ready to go it’s generally been a week or two.  So on one hand, I’m technically two weeks behind the curve.  On the other, I’ve never been hit, in decades, by a bad MS security update.  The key is keeping clean machines and not littering them will all kinds of garbage software, and having a good security solution in place, including perimeter protection, desktop, safe and regular backups, network protection and segmentation, and the works.

Critical vulnerabilities are fast-tracked and all systems are up within a few days.  Even if the patch broke something, I have redundant systems I cycle out as needed, and restores are quick.  You should always have a stand-in system in place before updating anything anyway.

For home users with a single machine, if the vslue equation is truly “chance for patch to break Windows” vs. “chance for vulnerability to be exploited” then I think the same mistake is being made when people compare car crashes vs. plane crashes when they try to tell you how much safer air travel is.  You can walk away from a car crash.

Reply | Quote

[OscarCP]

It is not the willful mistake of regular users, people with no testing machines, in-house advice, etc., based on a false premise: it is their lack of the practical alternatives that many businesses and organizations must have. The thing for them to do is wait for evidence that the patches to the vulnerability are available and not causing serious problems, or that attacks are actually under way targeting people willy-nilly. This should not be hard to understand.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

• This reply was modified 4 years, 10 months ago by OscarCP.

1 user thanked author for this post.

DriftyDonN

Reply | Quote

anonymous wrote:

For home users with a single machine, if the vslue equation is truly “chance for patch to break Windows” vs. “chance for vulnerability to be exploited” then I think the same mistake is being made when people compare car crashes vs. plane crashes when they try to tell you how much safer air travel is.  You can walk away from a car crash.

That’s not a good analogy to support your opinion; car fatalities are much more frequent than plane fatalities:

Americans have a 1 in 114 chance of dying in a car crash,
…
The odds of dying in air and space transport incidents, which include private flights and air taxis, are 1 in 9,821.

In pure statistical terms, it’s more dangerous to drive a car than to fly on a plane. But it’s easy to see why the public often assumes otherwise. Car accidents may happen every day across the U.S., but many of them are minor with little or no injury. Airplane crashes, on the other hand, can be catastrophic, deadly events.

Which Is Safer: Airplanes or Cars?

1 user thanked author for this post.

OscarCP

Reply | Quote

(I am none of the above anons)  Are some people hacked?  Yes, but it is hard to get data on that, businesses may be forced to admit it sometimes.  Many people assume when their computer fails that “a virus” killed it, but post-mortem scans are often not done.  And, when a hack is done, how often is it from a patched Microsoft vulnerability, instead of a user clicking “yes” to a warning, or from an unpatched one?

Unfortunately there is a real lack of publicly available data for all of this.  For an unemployed home user, I think the chance of trouble from an update, or from a virus or hack, are both very low if they have Windows Defender on.  I have read articles that many home virus infestations are from expired non-Microsoft antivirus software, which is failing to update.  MS-DEFCON is not meant as guidance for businesses of any size, in my opinion.

Can a business safely delay patches by 3 weeks?  What should a business tell (or deploy) to its employees with a computer (business owned) that they use at home?  For a business, in my opinion the risk of untested patches is much more acceptable than the risk of hacks.  If a computer is destroyed, that is nothing compared to the leak of business data.  Things like the Sony hack could have meant employees going to jail or a business going bankrupt or worse.  The ideal would be to test the patches first, quickly, and to have backups.

Can I prove that patching early is a good idea?  I really can’t, not with public information.  But, for a business, although in my opinion both risks are low, comparing the consequences of computer loss vs hack loss, it seems obvious you should patch early.

Reply | Quote

Windows Update can really be simple. I have seen a host of difficulties described on tech-y sites and on many help and support sites that most likely would have been prevented if a consistent regimen of drive imaging had been in use.

In the wee hours of every Sunday morning, Task Scheduler creates a set of drive images on an internal 1TB drive dedicated for image files. When Patch Tuesday (the second Tuesday of the month) rolls around, I’m ready for it. I’m not a fan of updating drivers needlessly, so I have Group Policy Editor > Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates > Enabled. But I don’t have Windows Updates Paused or restricted in any other way.

This same regimen can be employed using an external drive, one that is plugged in for creating images, then unplugged and stored away for safekeeping. My regimen has evolved over the years to its present configuration, and has served me well, up to and including a house fire in 2011 that took my two PC’s. I still have digital financial and business records going all the way back to January of 2000, thanks to drive image files. I haven’t lost any of my data. I’ve got some stuff that goes back to Windows for Workgroups 3.11.

In the past couple of decades I have not had a Windows Update pooch any of my various installations. In addition, I only do clean installs on purpose-built bare metal, such as when I built my NAS. In every other case, I do upgrades of existing versions to the newer version. All of my Windows installations are kept fully updated. Other than drivers, I install everything that Microsoft offers my Windows installations as soon as it is offered. I don’t really care who says I “don’t need” certain updates. I’m my own Windows Expert.

My experiences with Windows have brought me to the conjecture that the primary reason that I don’t have problems with Windows Updates is that I maintain fully updated systems. But, should such a problem ever occur, I’m ready for it. All I have to do in such an event is restore my latest drive image to completely remove the problem, then Pause Windows Update until Microsoft gets it sorted out.

But, as I said, even though that has never happened, I am a firm believer in staying prepared.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote